Skip to content

HYPERFLEET-1123 - feat: define hyperfleet-critical PriorityClass and apply to maestro pods#51

Open
kuudori wants to merge 1 commit into
openshift-hyperfleet:mainfrom
kuudori:HYPERFLEET-1123
Open

HYPERFLEET-1123 - feat: define hyperfleet-critical PriorityClass and apply to maestro pods#51
kuudori wants to merge 1 commit into
openshift-hyperfleet:mainfrom
kuudori:HYPERFLEET-1123

Conversation

@kuudori

@kuudori kuudori commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Define hyperfleet-critical PriorityClass (value: 1000000000) as a standalone manifest at manifests/priority-classes.yaml
  • Add install-priority-classes Makefile target, hooked into install-all and install-all-rabbitmq before install-maestro
  • Wire priorityClassName: hyperfleet-critical into all four maestro pod specs (server, agent, db, mqtt)
  • Bump chart dependency versions to 0.1.1 for upstream priorityClassName hooks

Verification

Tested on local kind cluster:

  • make install-priority-classes creates the PriorityClass with correct value
  • Idempotent on re-apply
  • kubectl get priorityclass hyperfleet-critical returns value=1000000000

Test plan

@openshift-ci

openshift-ci Bot commented Jun 11, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e101e264-cdec-44bc-a136-96990d68c705

📥 Commits

Reviewing files that changed from the base of the PR and between fd53d6c and 4533703.

📒 Files selected for processing (4)
  • Makefile
  • helm/maestro/Chart.yaml
  • helm/maestro/values.yaml
  • manifests/priority-classes.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
✅ Files skipped from review due to trivial changes (1)
  • helm/maestro/Chart.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • manifests/priority-classes.yaml
  • helm/maestro/values.yaml
📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added a Kubernetes PriorityClass named hyperfleet-critical for higher scheduling priority (above default, below system-critical).
    • Updated CI testing and local deployment commands to automatically apply the priority classes before installing components.

  • Chores

    • Bumped the Helm umbrella chart version to 0.1.2.
    • Updated Helm values so Maestro server, embedded PostgreSQL, embedded Mosquitto, and agents use hyperfleet-critical, keeping the existing “safe to evict” settings unchanged.

Walkthrough

A Kubernetes PriorityClass named hyperfleet-critical is defined in manifests/priority-classes.yaml with priority value 1000000000 and globalDefault: false. A Makefile target install-priority-classes is added to apply this manifest via kubectl apply, and this target is inserted into the dependency chains of ci-test, local-up-kind, and local-up-gcp to run before Maestro installation. The Helm chart version is bumped from 0.1.1 to 0.1.2. The values.yaml adds priorityClassName: hyperfleet-critical to Maestro server, PostgreSQL, Mosquitto, and agent pods alongside their existing cluster-autoscaler.kubernetes.io/safe-to-evict: "false" annotations.

Sequence Diagram

sequenceDiagram
  participant Deployment as local-up-kind/gcp
  participant Make as Make install-priority-classes
  participant Kubectl
  participant K8sAPI as Kubernetes API
  participant HelmChart as Helm: Maestro Chart
  participant Scheduler as Pod Scheduler
  Deployment->>Make: Invoke target
  Make->>Kubectl: kubectl apply priority-classes.yaml
  Kubectl->>K8sAPI: Apply PriorityClass hyperfleet-critical
  K8sAPI-->>Kubectl: Resource created (1000000000)
  Kubectl-->>Make: Success
  Deployment->>HelmChart: helm install with values.yaml
  HelmChart->>Scheduler: Pod spec references priorityClassName
  Scheduler->>Scheduler: Schedule with priority 1000000000
Loading

Security & Configuration Risk Analysis

PriorityClass value collision risk (CWE-400): hyperfleet-critical at 1000000000 occupies the high-priority band. Verify this value does not collide with or fall below system-reserved classes (system-node-critical: 2000000000, system-cluster-critical: 2000001000). If precedence is inverted, pod eviction protection fails and system stability is compromised.

Kubectl apply without input validation (CWE-345): The install-priority-classes Make target performs manifest application with only check-kubectl as a guard—no schema validation, dry-run, API server authorization pre-check, or admission controller simulation. If manifests/priority-classes.yaml is modified or compromised upstream, invalid or malicious scheduling directives apply directly.

Overly broad safe-to-evict false policy (CWE-400): Setting cluster-autoscaler.kubernetes.io/safe-to-evict: "false" on PostgreSQL and Mosquitto prevents node scale-down, even during low utilization. If these dependencies are not genuinely crash-critical, overly broad non-evictable policy increases cluster fragmentation and wasted node capacity.

No manifest schema validation before install: The Makefile target does not validate manifests/priority-classes.yaml schema or confirm resource existence before Helm references it in pod specs. If the manifest is malformed or the install step is skipped, Helm pod scheduling fails silently with pending pods (supply chain risk).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Title check ✅ Passed The title directly describes the main changes: defining a hyperfleet-critical PriorityClass and applying it to maestro pods.
Description check ✅ Passed The description comprehensively covers all changeset components: PriorityClass definition, Makefile integration, pod spec wiring, and verification steps.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output ✅ Passed No secrets, credentials, tokens, or passwords found in log statements across all PR changes. Makefile, Helm charts, and manifest files contain no logging with sensitive data.
No Hardcoded Secrets ✅ Passed No hardcoded secrets found. maestro-password is a dev/demo placeholder in Helm values, not a real credential. No base64 strings >32 chars, embedded credentials (user:pass@host), API keys, or actu...
No Weak Cryptography ✅ Passed PR contains zero cryptographic code. No Go/Python files found. All changes are Kubernetes/Helm configuration (PriorityClass manifest, values.yaml, Chart.yaml, Makefile). No banned primitives detected.
No Injection Vectors ✅ Passed No injection vectors detected. Makefile uses quoted, hardcoded manifest paths. Helm values contain only hardcoded priorityClassName strings. No SQL, exec.Command, template.HTML, or yaml.Unmarshal p...
No Privileged Containers ✅ Passed No privileged container configurations detected. PR adds PriorityClass for scheduling and references it in pod specs; no securityContext, privileged, hostPID, hostNetwork, hostIPC, or root user set...
No Pii Or Sensitive Data In Logs ✅ Passed PR contains no logging statements (slog, logr, zap, log, fmt.Print*) that expose PII, session IDs, request/response bodies, or credentials. Changes are Makefile, Helm configs, and Kubernetes manife...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
✨ Simplify code
  • Create PR with simplified code

Comment @coderabbitai help to get the list of available commands and usage tips.

@kuudori kuudori marked this pull request as ready for review June 16, 2026 17:41
@openshift-ci

openshift-ci Bot commented Jun 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai[bot]
coderabbitai Bot reviewed Jun 16, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helm/maestro/Chart.yaml`:
- Around line 9-16: The chart dependencies maestro-server and maestro-agent have
a reproducibility issue where the version fields are pinned to "0.1.1" but the
repository URLs use the mutable branch ref "?ref=main". To fix this, replace the
mutable branch references (?ref=main) in both the maestro-server and
maestro-agent repository URLs with an immutable reference that matches version
0.1.1, either by using an immutable git tag (such as ?ref=v0.1.1) or a specific
commit SHA, depending on what the upstream maestro repository provides for that
version.

In `@Makefile`:
- Line 117: The kubectl apply recipe on line 117 expands the $(MANIFESTS_DIR)
variable unquoted, creating a shell injection vulnerability (CWE-78) where
malicious input could execute arbitrary commands. Fix this by quoting the
variable reference in the file path passed to kubectl apply, changing
$(MANIFESTS_DIR) to "$(MANIFESTS_DIR)" to safely handle any input containing
special characters or shell metacharacters.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ebb6030d-47f8-49ca-99c2-3fa45aacd35a

📥 Commits

Reviewing files that changed from the base of the PR and between 9034fc3 and e21624d.

📒 Files selected for processing (4)
  • Makefile
  • helm/maestro/Chart.yaml
  • helm/maestro/values.yaml
  • manifests/priority-classes.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)

Comment thread helm/maestro/Chart.yaml
Comment thread Makefile Outdated
@kuudori kuudori force-pushed the HYPERFLEET-1123 branch 4 times, most recently from 6a30649 to c0d38fa Compare June 16, 2026 18:46
coderabbitai[bot]
coderabbitai Bot reviewed Jun 16, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
Makefile (1)

117-117: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Unquoted Make variable in recipe enables shell injection (CWE-78).

Line 117 expands $(MANIFESTS_DIR) unquoted in a shell command; environment/CLI override can inject shell metacharacters on CI runners. Quote the path argument.

As per coding guidelines, **/Makefile: “Flag shell injection via unquoted variables in recipes.”

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` at line 117, The kubectl apply command on line 117 in the Makefile
uses an unquoted Make variable $(MANIFESTS_DIR) which creates a shell injection
vulnerability (CWE-78). Quote the entire path argument by wrapping
$(MANIFESTS_DIR)/priority-classes.yaml in double quotes to prevent shell
metacharacters in environment or CLI overrides from being interpreted as shell
commands.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@Makefile`:
- Line 117: The kubectl apply command on line 117 in the Makefile uses an
unquoted Make variable $(MANIFESTS_DIR) which creates a shell injection
vulnerability (CWE-78). Quote the entire path argument by wrapping
$(MANIFESTS_DIR)/priority-classes.yaml in double quotes to prevent shell
metacharacters in environment or CLI overrides from being interpreted as shell
commands.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8f6475a3-6afa-4167-a2d6-562530ac2f80

📥 Commits

Reviewing files that changed from the base of the PR and between 6a30649 and c0d38fa.

📒 Files selected for processing (4)
  • Makefile
  • helm/maestro/Chart.yaml
  • helm/maestro/values.yaml
  • manifests/priority-classes.yaml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift-hyperfleet/architecture (manual)
  • openshift-hyperfleet/hyperfleet-api (manual)
  • openshift-hyperfleet/hyperfleet-sentinel (manual)
  • openshift-hyperfleet/hyperfleet-adapter (manual)
  • openshift-hyperfleet/hyperfleet-broker (manual)
✅ Files skipped from review due to trivial changes (1)
  • helm/maestro/Chart.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • helm/maestro/values.yaml
  • manifests/priority-classes.yaml

@kuudori

kuudori commented Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kuudori